DESCRIPTION 



ENCRYPTION COMMUNICATION SYSTEM 

5 Technical Field 

The present invention relates to an encryption 
technology used as an information security technology. 

Background Art 

10 Recently^ the NTRU cryptosystem has been receiving 

attention because the NTRU cryptosystem can be implemented 
in a processor that has a comparatively low processing 
capability, typically used in home electrical appliances. 

In the NTRU cryptosystem, a polynomial operation 

15 (addition and multiplication) is the basic operation, and 
each coefficient of the polynomial is 8 bits or below. 
Therefore even an 8-bit CPU can easily implement the NTRU 
cryptosystem. The NTRU cryptosystem is performed at 10-50 
times as higher speed than an elliptic curve encryption, 

20 and does not necessitate a multiple precision arithmetic 
library that the elliptic curve encryption would require. 
The NTRU cryptosystem therefore has an advantage in having 
smaller code size than the elliptic curve encryption. The 
NTRU cryptosystem is detailed in non-patent reference 1 



1 



and in patent reference 1, and therefore is not described 
here . 

However^ sometimes the NTRU cryptosystem has a 
possibility of causing an error in decryption^ and the 
5 occurrence of error is not detected at the time of decryption . 
This is a problem regarding the NTRU cryptosystem, because 
encryption cannot be guaranteed to be correctly performed. 

To solve this problem, the patent reference 2 takes 
the following approach. Specifically, the transmission 

10 apparatus performs a one-way function on a plaintext to 
generate a first functional value, generates first addition 
information, performs an invertible operation on the 
plaintext and on the first addition information to generate 
concatenation information, and performs an encryption 

15 algorithm on the concatenation information to generate a 
cipher text. The reception apparatus generates second 
addition information that is identical to the first addition 
information, performs a decryption algorithm on the cipher 
text to generate decryption concatenation information, 

20 performs an inverse operation of the invertible operation 
on the decryption concatenation information and on the 
second addition information to generate a decrypted text, 
performs the one-way function on the decrypted text to 
generate a second functional value, compares the first 
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functional value and the second functional value, and if 
the values are identical to each other, the decrypted text 
is judged to be correct. In the above way, it becomes 
possible to judge whether the plaintext has been correctly 
5 decrypted. 

If a plaintext is judged to have been incorrectly 
decrypted, the receiving party can request that the 
transmitting party should re-transmit the cipher text, and 
receive the cipher text again. 

10 

(non-patent reference 1) 

Jeffrey Hoffstein, Jill Pipher, and Joseph H. 
Silverman, ^^NTRU:A ring based public key cryptosystem'% 
Lecture Notes in Computer Science, 1423, pp. 267-288, 
15 Springer-Verlag, 1998 

(patent reference 1) 

U.S. Patent number 6,081,597 

20 (patent reference 2) 

Japanese Laid-open Patent application No. 
2002-252611 

(non-patent reference 2) 
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J. Proos^ ^^Imperfect Decryption and an Attack on the 
NTRU Encryption Scheme"^ lACR ePrint Archive^. 2003/002, 
(2003) 

5 The non-patent reference 2 discloses an attacking 

method used for the NTRU cryptosystem . In this attacking 
method, in an attempt to obtain a key, an attacker transmits 
arbitrary data to a receiving party, to check whether the 
receiving party transmits a re-transmission reguest • This 
10 is a problem because this means that security cannot be 
guaranteed in the NTRU cryptosystem. 

Brief Disclosure of the invention 

The object of the present invention is to provide an 

15 encryption communication system, an encryption 
transmission apparatus , an encryption transmission method, 
an encryption transmission program, an encryption reception 
apparatus, an encryption reception method, and an 
encryption reception program, which prevent an attack that 

20 takes advantage of a re-transmission reguest in the 
encryption systems . 

(Means for solving the problem) 

In view of the above-described problem, an encryption 
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transmission apparatus encrypts one transmission message 
five times to generate five encrypted messages ^ calculates 
a hash value of the transmission message^ and transmits 
the five encrypted messages and the hash value. An 
5 encryption reception apparatus receives the five encrypted 
messages and the hash value, decrypts the five encrypted 
messages to generate decrypted messages, calculates 
decryption hash values for the decrypted messages 
respectively, if at least one of the decryption hash values 
10 matches the hash value, a corresponding decrypted message 
is considered to be correct . I f none of the five decryption 
hash values matches the hash value, a decryption error is 
considered to have occurred. 

15 Brief Description of the Drawings 

FIG. 1 is a system structure diagram showing the 
structure of the image playback system 10, which is an 
embodiment relating to the present invention. 
20 FIG. 2 is a functional block diagram showing the 

structure of a server apparatus 100. 

FIG. 3 is a functional block diagram showing the 
structure of an image playback apparatus 200. 

FIG. 4 is a flowchart showing the operation of the 
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server apparatus 100. 

FIG. 5 is a flowchart showing the operation of the 
image playback apparatus 200^ to be continued to FIG. 6. 

FIG. 6 is a flowchart showing the operation of the 
5 image playback apparatus 200^ which is a continuation from 
FIG. 5. 

FIG. 7 is a functional block diagram showing the 
structure of an image playback apparatus 200b and a memory 
card 300b^ which are included in the image playback system 
10 10 being a modification example. 

FIG. 8 is a system structure diagram showing the 
structure of a BD playback system lOc^ which is another 
embodiment relating to the present invention. 

FIG. 9 is a functional block diagram showing the 
15 structure of a memory card 300c and a BD player 200c^ which 
are included in the BD playback system 10c. 

Detailed Description of the Invention 

The following explains an image playback system 10^ 
20 which is one embodiment relating to the present invention. 

1. Image playback system 10 

The image playback system 10 is, as shown in FIG. 1, 
made up of a server apparatus 100 and an image playback 
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apparatus 200^ which are connected to each other via an 
Internet 20^ and includes a remote controller 30 for 
controlling the image playback apparatus. 

The server apparatus 100 encrypts a content^ and 
5 transmits the encrypted content to the image playback 
apparatus 200 via the Internet 20. The image playback 
apparatus 200 receives the encrypted content^, decrypts the 
received encrypted content to generate a content, plays 
back the generated content, and outputs the image and the 
10 audio to the monitor 50 and to the speaker 40, both of which 
are connected to the image playback apparatus 200. 

Structure of server apparatus 100 
The server apparatus 100 is, as shown in FIG. 2, made 

15 up of an information storage unit 101, a random-number 
generation unit 102, a first encryption unit 103, a hash 
unit 104, a second encryption unit 105, a 
transmission/reception unit 106, a control unit 107, an 
input unit 108, and a display unit 109. 

20 The server apparatus 100 is specifically a computer 

system constituted by a microprocessor, a ROM, a RAM, a 
hard disk unit, a display unit, a key board, a mouse, and 
the like. The RAM or the hard disk unit records therein 
a computer program. The server apparatus 100 performs part 



of its function^ by the microprocessor operating according 
to the computer program. 

(1) Information storage unit 101 

5 The information storage unit 101^ as shown in FIG. 

2f stores therein a public key Kp, a content key Kc^ and 
a content C. 

The public key Kp is generated based on a secret key 
Ks generated using a key generation method of the NTRU 
10 cryptosystem^ and has 1841 bit length for a 2 63-dimension 
NTRU cryptosystem. The secret key Ks will be detailed 
later . 

The content C is movie data made of image information 
and audio information. 

15 

(2) Random-number generation unit 102 

The random-number generation unit 102^ by being 
controlled by the control unit 107^ repeats^ five times^ 
a series of the following operations: generating a random 
20 number Ri having 64 bits ; and outputting the generated random 
number Ri to the first encryption unit 103. 

(3) First encryption unit 103 

The first encryption unit 103^ by being controlled 



8 



by the control unit 107^ reads the public key Kp and the 
content key Kc from the information storage unit 101 . Then 
the first encryption unit 103 repeats the following 
operations (a) - (c) five times^ by being controlled by the 
control unit 107. 

(a) Receive a random number Ri from the 
random-number generation unit 102. 

(b) Concatenate the read content key Kc with the 
received random number Ri (i.e.^ Kc| |Ri) . 

(c) Perform an encryption algorithm End on the 
concatenation of the content key Kc and the random 
number Ri, to generate an encrypted content key 
Ekci . 

i.e., Ekci=Encl (Kp, Kc I |Ri) 

Here I " is an operator representing 

concatenation, the encryption algorithm End is 
an algorithm of the NTRU cryptosystem, and 
X=Encl(Y,Z) shows that the encryption algorithm 
End is performed on a plaintext Z using a key Y, 
to generate a cipher text X. 
In the above way, five encrypted content keys Ekcl, 

Ekc2, Ekc5 are generated. 

Next, the first encryption unit 103 outputs the five 

encrypted content keys Ekcl, Ekc2, ■■■ , Ekc5, to the 



transmission/reception unit 106. 

Please note here that^ in FIG. 2^ each block is 
connected to the other blocks, by a connection line (the 
drawing does not show all the connection lines) . Each 
5 connection line signifies a path through which a signal 
or information is transmitted. In addition, among the 
connection lines connected to the block representing the 
first encryption unit 103, the connection line on which 
a keymark is drawn signifies apath through which information 
10 as a key is transmitted to the first encryption unit 103. 
The same thing applies to the block representing the second 
encryption unit 105. The same thing also applies to the 
other drawings. 



15 (4) Hash unit 104 

The hash unit 104, by being controlled by the control 
unit 107, reads the content key Kc from the information 
storage unit 101 and performs a hash function ^^Hash'' on 
the read content key Kc to generate a hash value H, the 
20 hash function ^''Hash" being a one-way function. 
H=Hash (Kc) 

Here, one example of the hash function ^^Hash" is SHA-1 . 
Since the SHA-1 is publicly-known, the explanation thereof 
is omitted here. In this case, the length of the hash value 
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H is 160 bits. 

Next^ the hash unit 104 outputs the generated hash 
value H to the transmission/reception unit 106. 

5 (5) Second encryption unit 105 

The second encryption unit 105, by being controlled 
by the control unit 107, reads the content key Kc and the 
content C from the information storage unit 101 , and performs 
the encryption algorithm Enc2 on the read content C using 
10 the read content key Kc, to generate an encrypted content 
EC. 

EC=Enc2 (Kc,C) 

Here, the encryption algorithm Enc2 is an algorithm 
of triple DES. Since the triple DES is publicly-known, 
15 the explanation thereof is omitted here. 

Next, the second encryption unit 105 outputs the 
generated encrypted content EC to the 

transmission/reception unit 106. 

20 (6) Transmission/reception unit 106 

The transmission/reception unit 106 is connected to 

the image playback apparatus 200, via the Internet 20. 

The transmission/reception unit 106, by being 

controlled by the control unit 107, receives the five 
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encrypted content keys Ekcl, Ekc2, " , Ekc5 from the first 
encryption unit 103^ receives the hash value H from the 
hash unit 104^ and receives the encrypted content EC from 
the second encryption unit 105. The 

5 transmission/ reception unit 106 then transmits the received 
five encrypted content keys Ekcl^ Ekc2, •••^ Ekc5, the hash 
value and the encrypted content EC^ to the image playback 
apparatus 200 via the Internet 20. 



10 (7) Control unit 107^ Input unit 108^ and Display 

unit 109 

The control unit 107 controls the random-number 
generation unit 102, the first encryption unit 103, the 
hash unit 104, the second encryption unit 105, and the 
15 transmission/reception unit 106. 

The input unit 108 receives an operation instruction 
from an operator of the server apparatus 100, and outputs 
the received instruction to the control unit 107. 

The display unit 109 displays various kinds of 
20 information, by being controlled by the control unit 107. 



Structure of image playback apparatus 200 
The image playback apparatus 200 is, as shown in FIG. 
3, made up of a transmission/reception unit 201, a first 
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decryption unit 202^ a hash unit 203^ a judgment unit 204^ 
an image storage unit 205^ a second decryption unit 206^ 
a playback unit 207^ a control unit 208^ an input unit 209^ 
and a display unit 210. 
5 Just as the server apparatus 100^ the image playback 

apparatus 200 is constituted by a microprocessor^ a ROM, 
a RAM, and so on . The RAM records therein a computer program . 
The image playback apparatus 200 performs part of its 
function, by the microprocessor operating according to the 
10 computer program. 

(1) Image storage unit 205 

As shown in FIG. 3, the image storage unit 205 stores 
therein a secret key Ks . 
15 The secret key Ks is generated using the key generation 

method of the NTRU cryptosystem, and has 415 bit length 
for a 2 63-dimension NTRU cryptosystem . 

(2) Transmission/reception unit 201 

20 The transmission/reception unit 201 is connected to 

the server apparatus 100, via the Internet 20. 

The transmission/reception unit 201, by being 
controlled by the control unit 208, receives the five 
encrypted content keys Ekcl, Ekc2, Ekc5, the hash value 
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and the encrypted content EC . The transmission/reception 
unit 201 outputs the five encrypted content keys Ekcl^ Ekc2^ 
f Ekc5 to the first decryption unit 202, outputs the hash 
value H to the judgment unit 204, and outputs the encrypted 
5 content EC to the second decryption unit 20 6. 

(3) First decryption unit 202 

The first decryption unit 202, by being controlled 
by the control unit 208, receives the five encrypted content 
10 keysEkcl, Ekc2, Ekc5, from the transmission/reception 
unit 201, and reads the secret key Ks from the information 
storage unit 205. The first decryption unit 202 repeats 
the following operations (a) -(c) five times, by being 
controlled by the control unit 208. 
15 (a) Perform a decryption algorithm Decl on an 

encrypted content key EKci, using the secret key Ks, 
to generate a content key DKci . 
DKci=Decl (Ks, Ekci) 
Here, the decryption algorithm Decl is an algorithm 
20 of the NTRU cryptosystem, and decrypts the cipher 

text generated according to the encryption algorithm 
End. Z=Decl(Y,X) means to perform a decryption 
algorithm Decl on a cipher text X to obtain a decrypted 
text Z . 
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(b) From the generated content key DKci, delete the 
64-bit random-number portion at the very last. 

(c) Output the content key DKci from which the 
random-number portion has been deleted, to the hash 

5 unit 203 and to the judgment unit 204. 

In the above way, five content keys DKci are outputted 
to the hash unit 203 and to the judgment unit 204. 



(4) Hash unit 203 

10 The hash unit 203 performs the following operations 

(a) - (b) five times, by being controlled by the control unit 
208. 

(a) Receive a content key DKci from the first 
decryption unit 202. 
15 (b) Perform the hash function ^^Hash" on the received 

content key DKci, to generate a hash value Hi. 
Hi=Hash (DKci) 

Next the hash unit 2 03 outputs the generated hash value 
Hi to the judgment unit 2 04. 

20 

(5) Judgment unit 20 4 

The judgment unit 204, by being controlled by the 
control unit 208, receives the hash value H from the 
transmission/reception unit 201, and repeats five times 
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the following operations (a) - (d) . 

(a) Receives a hash value Hi from the hash unit 
203. 

(b) Receive a content key DKci from the first 
5 decryption unit 202. 

(c) Judges whether the hash value H is identical 
to the hash value Hi. 

(d) If judging affirmatively^ stores the value of 
^^i'' and the content key DKci^ in association. 

10 

If there is any value of ^^i'' stored after the above 
operations (a) -(d) are performed five times^ it is judged 
that the encrypted content key has been correctly decrypted, 
and the content key DKci stored in association with the 
15 value of ^^i" is outputted to the second decryption unit 
206, and a decryption result showing that the decryption 
has been correctly performed is outputted to the control 
unit 208. 

If there is no value of ^^i" stored, it is judged that 
20 the encrypted content key has not been correctly decrypted, 
and a decryption result representing such is outputted to 
the control unit 208. 

(6) Second decryption unit 206 
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The second decryption unit 206, by being controlled 
by the control unit 208, receives the content key DKci from 
the judgment unit 204, receives the encrypted content EC 
from the transmission/reception unit 201, and performs a 
5 decryption algorithm Dec2 on the received encrypted content 
EC using the received content key DKci, to generate a content 
C. 

Here, the decryption algorithm Dec2 is an algorithm 
of triple DES, and decrypts the cipher text generated 
10 according to the encryption algorithm Enc2 . 

Then, the second decryption unit 206 outputs the 
generated content C to the playback unit 207. 

(7) Playback unit 207 

The playback unit 207, by being controlled by the 
15 control unit 208, receives a content C, plays back the 
received content C, generates an image signal and an audio 
signal, and outputs the image signal and the audio signal 
to the monitor 50 and to the speaker 40, respectively. 

The monitor 50 and the speaker 40 respectively output 
20 the images and the corresponding audio. 

(8) Control unit 208, input unit 209, and display 
unit 210 

The control unit 208 controls the 
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transmission/reception unit 201, the first decryption unit 
202, the hash unit 203, the judgment unit 204, the second 
decryption unit 206, and the playback unit 207. 

The control unit 208 receives a decryption result 
5 either showing that the encrypted content key has been 
correctly decrypted, or showing that it has not been 
correctly decrypted . 

When receiving a decryption result showing that the 
encrypted content key has not been correctly decrypted, 
10 the control unit 208 controls the second decryption unit 
206 not to perform decryption, and controls the display 
unit 210 to display ^Mecryption error". 

When receiving a decryption result showing that the 
encrypted content key has been correctly decrypted, the 
15 control unit 208 controls the second decryption unit 206 
to perform decryption. 

The input unit 209 receives an operation instruction 
from a user of the image playback apparatus 200, and outputs 
the received instruction to the control unit 208. 
20 The display unit 210 displays various types of 

information, by being controlled by the control unit 208. 

Operation of image playback system 10 
The following describes operations performed by the 
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image playback system 10. 

(1) Operation of server apparatus 100 
The following describes operations of the server 
apparatus 100, with use of the flowchart shown in FIG. 4. 
5 The first encryption unit 103 reads a content key Kc 

from the information storage unit 101 (Step SlOl) , and then 
reads a public key Kp (Step S102) . 

Next, the control unit 107 performs control so that 
Steps S104-S105 are repeated five times, at Steps S10 3-S106 . 
10 Please note that in the notations of the random number Ri 
and the encrypted content key Ekci, the ^^i'' is a suffix 
representing a time of repeating, and changes to i=l, 2, 
3, 4, 5, at each repetition. 

The random-number generation unit 102 generates a 
15 random number Ri of 64 bits, outputs the generated random 
number Ri to the first encryption unit 103 (Step S104) . 
The first encryption unit 103 concatenates the content key 
Kc with the random number Ri, and performs the encryption 
algorithm End on the concatenation of the content key Kc 
20 and the random number Ri, thereby generating an encrypted 
content key EKci (Step S105) . 

By repeating Steps S104-S105 five times in the above 
way, five encrypted content keys Ekcl, Ekc2, Ekc5 are 

generated . 
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Next, the hash unit 104 reads the content key Kc from 
the information storage unit 101, and performs a hash 
function ^^Hash", being a one-way function, on the read 
content key Kc, thereby generating a hash value H (Step 
5 S107) . 

The second encryption unit 105 reads the content key 
Kc from the information storage unit 101 (Step S108) , reads 
the content C (Step S109) , and performs an encryption 
algorithm Enc2 on the read content C using the read content 
10 key Kc, thereby generating an encrypted content EC (Step 
SllO) . 

The transmission/reception unit 106 transmits the 
five encrypted content keys EKcl, EKc2, EKc5, the hash 

value H, and the encrypted content EC, to the image playback 
15 apparatus 200 via the Internet 20 (Step Sill) . 

(2) Operation of image playback apparatus 200 
The following describes operations of the image 
playback apparatus 200, with use of the flowcharts shown 
20 in FIGS. 5 and 6. 

The transmission/reception unit 201 receives the five 
content keys EKcl, EKc2, EKc5, the hash value H, and 

the encrypted content EC, from the server apparatus 100 
and via the Internet 100, and outputs the content keys EKcl, 
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EKc2, EKc5 to the first decryption unit 202, the hash 

value H to the judgment unit 204, and the encrypted content 
EC to the second decryption unit 206 (Step S131). 

The first decryption unit 202 reads the secret key 
5 Ks from the information storage unit 205 (StepS132). Next, 
the control unit 20 8 performs control so that Steps S134-S138 
are repeated five times, at Steps S133-S139. Please note 
that in the notations of the encrypted content key Ekci, 
the content key DKci, and the hash value Hi, the ^^i'' is 

10 a suffix representing a time of repeating, and changes to 
i=l, 2, 3, 4, 5, at each repetition. 

The first decryption unit 202 performs a decryption 
algorithm Decl on the encrypted content key Ekci, using 
the secret key Ks, thereby generating a content key DKci 

15 (StepS134) , and from the generated content key DKci, deletes 
a 64-bit random-number portion at the very last, and outputs 
the content key DKci from which the random-number portion 
has been deleted, to the hash unit 203 and to the judgment 
unit 204 (Step S135) . 

20 Then, the hash unit 203 receives the content key DKci 

from the first decryption unit 202, and performs the hash 
function ^^Hash" on the received content key DKci, thereby 
generating a hash value Hi (Step S136) . 

The judgment unit 204 receives the hash value Hi from 
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the hash unit 203, receives the content key DKci from the 
first decryption unit 202, judges whether the hash value 
H and the hash value Hi are identical (Step S137) , and if 
they are identical (Step S137) , memorizes the value of ^^i" 
5 at this time, in correspondence with the content key DKci 
(Step S138) . 

After Steps S134-S138are repeated five times , if there 
is a memorized value of ^^i" (Step S140) , it is judged that 
the decryption of the encrypted content key has been 

10 correctly performed, and so the second decryption unit 206 
receives the content key DKci from the judgment unit 204, 
receives the encrypted content EC from the 
transmission/reception unit 201, and performs the 
decryption algorithm Dec2 on the received encrypted content 

15 EC using the received content key DKci, thereby generating 
a content C (Step S141) . The playback unit 207 receives 
the content C from the second decryption unit 206, plays 
back the content C, generates an image signal and an audio 
signal, and outputs the image signal and the audio signal 

20 to the monitor 50 and to the speaker 40, respectively. The 
monitor 50 and the speaker 40 respectively output the images 
and the corresponding audio (Step S142). 

If there is no memorized value of ^^i'' (Step S140), 
the judgment unit 204 judges that none of the five encrypted 
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content keys was decrypted correctly^ and so outputs a 
decryption result indicating such to the control unit 208. 
The control unit 208 controls the second decryption unit 
206 not to perform decryption, controls the display unit 
5 210 to display ^Mecryption error", and so the display unit 
210 displays ^Mecryption error'' (Step S143) . 

In the above description, the control unit 20 8 performs 
control so that Steps S134-S138 are repeated five times, 
at Steps S133-S139. It is also possible that if the hash 
10 value H and the hash value Hi are judged to be identical 
at Step S137, the control can come out of the loop of Steps 
S134-S138 . 



Summary 

15 As described above, this embodiment attempts to reduce 

the possibility that a message m (^^content key'' in the 
embodiment) cannot be decrypted, by encrypting and 
transmitting the message m for several times . Accordingly, 
re-transmission reguest for the message m will not occur 

2 0 so much. 

The transmission apparatus (^^server apparatus" in the 
embodiment) generates randomnumbers R1-R5, generatesmi |R1, 
m I I R2 , m I I R3 , m | | R4 , and m | | R5 , and encrypts each of them, 
to generate Enc (m | | Rl ) , Enc (m | | R2 ) , Enc (m | | R3 ) , Enc (m | | R4 ) , 
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and Enc(m| |R5) . Here^ Enc (x) means to perform the 
encryption algorithm Enc on the plaintext to generate 
a cipher text. Next, the hash value H (m) is calculated. 
The generated Enc(m||Rl), Enc(m||R2), Enc(m||R3), 
5 Enc(m| |R4), and Enc(m| |R5), together with the hash value 
H (m) are then transmitted to the reception apparatus (^^image 
playback apparatus" in the embodiment) . 

The reception apparatus receives the Enc(m| |R1), 
Enc(m| |R2) , Enc(m| |R3) , Enc (m | | R4 ) , and Enc(m| |R5) , 

10 together with the hash value H (m) , and decrypts Enc (m | I Rl ) , 
Enc(m||R2), Enc(m||R3), Enc(m||R4), and Enc(m||R5), to 
obtain a part of each of them, namely, ml, m2, "••m5, which 
corresponds to a message. Furthermore, the hash value of 
each of ml , m2 , •••m5 is calculated (H (ml ) , H (m2 ) , •••H (m5 ) ) . 

15 Then each of the calculated hash values is compared to the 
hash value H (m) . In this comparison, if there is at least 
one matching pair of the calculated hash value and the 
received hash value H (m) , then the message (out of ml, m2, 
•••mS) that corresponds to the matching hash value is 

20 outputted as a decrypted text . If there is no such matching 
pair, ^^False" indicating decryption error is outputted. 

In the NTRU cryptosystem of 2 63 dimensions, the 
probability of causing decryption error for one cipher text 
is about 10"^. Since five cipher texts are transmitted in 



the above-described embodiment, the probability of causing 
re-transmission request will be about 10"^^ (= 10"^ * 10"^ 
* 10"^ * 10"^ * 10"^) . On the other hand, the probability 
of attack success in the 1024-bit RSAencryption is 20"^°=10"^'^ 
5 Therefore, if the above-described embodiment is applied 
to the 2 63-dimension NTRU cryptosystem, the probability 
of attack success becomes lower than the case of the 1024-bit 
RSA encryption. 

10 2. Other modification examples 

So far, the present invention has been described based 
on the above-described embodiment. However needless to 
say, the present invention should not be limited to the 
above-described embodiment, and may include the following 

15 cases. 

(1) In the above-described embodiment , five encrypted 
content keys are transmitted. However, five encrypted 
contents may be transmitted instead. 

(2) In the above-described embodiment, the 
20 transmission apparatus generates five cipher texts and 

transmits them, and the reception apparatus receives the 
five cipher texts and decrypts them. However, the number 
of the cipher texts is not limited to 5, and may be 3, or 
7, for example. In addition, the transmission apparatus 



may generate two or more cipher texts and transmit them^ 
and the reception apparatus receives these cipher texts^ 
decrypts them^ and uses them in judgment as to whether 
decryption error has occurred. As stated above, the number 
5 of cipher texts affects the probability of attack success, 
and larger the number of cipher texts, the probability of 
attack success will be lessened. 

(3) In the above-described embodiments, an encryption 
algorithm is performed on a concatenation of the message 

10 m to be encrypted and a random number generated each time. 
However, the transmission apparatus may perform another 
operation on the message m in advance, and perform the 
encryption algorithm on the concatenation of the operation 
result and the random number. 

15 For example, the transmission apparatus may add, to 

the message m, "'C, ''1'', '^2'', "'3'', and 'M'', respectively, 
to obtain '"m", '"m+l", '"m+2", '"m+3", and ''m+4". The 
transmission apparatus then performs an encryption 
algorithm on each concatenation of a calculation result 

2 0 and a random number, to generate Enc (m | | Rl ) , Enc (m+1 | | R2 ) , 
Enc (m+2 | | R3 ) , Enc (m+3 | I R4 ) , Enc (m+4 I I R5 ) . 

The reception apparatus decrypts Enc(m| |R1), 
Enc (m+1 I I R2) , Enc (m+2 | | R3 ) , Enc (m+3 | | R4 ) , Enc (m+4 | | R5 ) , 
and deletes, from each of the decryption results, a 
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random-number portion at the very last, the random-number 
portion having a predetermined length. The reception 
apparatus then subtracts ^^0", ^^1", ^^2", ^^3'\ 
respectively from the decryption results from which their 
5 random-number portion has been subtracted, thereby 
obtaining information that corresponds to the message m. 

(4) In the above-described embodiment, the 
transmission apparatus concatenates the message m with the 
random number, in the stated order, and performs an 

10 encryption algorithm on the concatenation results. 
However, the order of concatenation may be reversed (i.e., 
the random number and the message m may be concatenated 
in this order) .Moreover, the message m and the random number 
may be alternately concatenated bit by bit. If such 

15 concatenation methods are adopted, the reception apparatus 
can obtain information corresponding to the message m, by 
performing their reverse operation, respectively. 

(5) In the above-described embodiment, the server 
apparatus transmits five encrypted content keys, an 

20 encrypted content, and a hash value, to the image playback 
apparatus via the Internet . However, the present invention 
is not limited to this embodiment. 

It is also possible that a digital broadcast 
transmission apparatus (instead of the server apparatus) 



may broadcast the five encrypted content keys, the encrypted 
content, and the hash value, via a digital broadcast wave 
(instead of the Internet) , and that a digital broadcast 
reception apparatus (instead of the image playback 
apparatus) receives the digital broadcast wave, to extract 
the five encrypted content keys, the encrypted content, 
and the hash value, from the received digital broadcast 
wave . 

(6) The image playback system 10 may include the image 
playback apparatus 200b and the memory card 300b, instead 
of the image playback apparatus 200. 

The image playback apparatus 200b is eguipped with 
a part of the function that the image playback apparatus 
200 includes, and the memory card 300b is eguipped with 
the other part of the function that the image playback 
apparatus 200 includes. 

Which is to say, the memory card 300b, being inserted 
to the image playback apparatus 200b by a user, receives 
the five encrypted content keys and the hash value from 
the server apparatus 100, judges whether the encrypted 
content keys have been correctly decrypted, and if judging 
affirmatively, outputs the correctly decrypted content key 
to the image playback apparatus 2 00b. The image playback 
apparatus 200b receives the content key from the memory 
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card 300b, and decrypts the encrypted content received from 
the server apparatus 100, for playback. 

Specifically, as FIG. 7 shows, the image playback 
apparatus 200b is composed of a transmission/reception unit 
5 201, a second decryption unit 206, a playback unit 207, 
a control unit 208, an input unit 209, a display unit 210, 
an input/output unit 211, and an authentication unit 212. 

Here, among the components of the image playback 
apparatus 200b, the transmission/reception unit 201, the 

10 second decryption unit 206, the playback unit 207, the 
control unit 208, the input unit 209, and the display unit 
210 are respectively the same as the counterparts of the 
image playback apparatus 200, namely, the 
transmission/ reception unit 201, the second decryption unit 

15 206, the playback unit 207, the control unit 208, the input 
unit 209, and the display unit 210. In addition, the 
input/output unit 211 performs input/output of information 
between the memory card 30 0b and the other components of 
the image playback apparatus 200b. Furthermore, the 

20 authentication unit 212, when a memory card is inserted 
in the image playback apparatus 200b, performs mutual device 
authentication with the inserted memory card. Only when 
the device authentication has succeeded, input/output 
thereafter will be performed. 
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As FIG. 7 shows, the memory card 300b is composed of 
an input/output unit 301, an authentication unit 302, a 
first decryption unit 202b, a hash unit 203b, a judgment 
unit 204b, and an information storage unit 205b. 

Here, the first decryption unit 202b, the hash unit 
203b, the judgment unit 204b, and the information storage 
unit 205b are respectively the same as the counterparts 
of the image playback apparatus 200, namely, the first 
decryption unit 202, the hash unit 203, the judgment unit 
204, and the information storage unit 205. In addition, 
the input/output unit 301 performs input/output of 
information between the other components of the memory card 
300b and the image playback apparatus 200b. Furthermore, 
the authentication unit 302, when the memory card 300b is 
inserted into an apparatus, performs mutual device 
authentication with the apparatus in which the memory card 
3 0 0b has been inserted . Only when the device authentication 
has succeeded, input/output thereafter will be performed. 
(7) Another embodiment 

The following describes a BD (Blu-ray disc) playback 
system 10c, which is another embodiment relating to the 
present invention . 

As FIG . 8 shows , the BD playback system 1 Oc is composed 
of a server apparatus 100c, a BD player 200c, and a portable 
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telephone 400c . The server apparatus 100c and the portable 
telephone 400c are connected to each other^ via the Internet 
20, the portable telephone network 25, and the wireless 
base station 26. 
5 (Structure of BD playback system 10c) 

The server apparatus 100c has the same structure 
as the server apparatus 100. 

The BD player 200c, as shown in FIG. 9, is composed 
of a drive unit 213, a second decryption unit 20 6, a playback 
10 unit 207, a control unit 208, an input unit 209, a display 
unit 210, an input/output unit 211, and an authentication 
unit 212. 

Here, among the components of the BD player 200c, 
the second decryption unit 206, the playback unit 207, the 

15 control unit 208, the input unit 209, and the display unit 
210 are respectively the same as the counterparts of the 
image playback apparatus 200, namely, the second decryption 
unit 206, the playback unit 207, the control unit 208, the 
input unit 209, and the display unit 210. In addition, 

20 the input unit 211 performs input/output of information 
between the memory card 30 0c and the other components of 
the BD player 200c. Furthermore, the authentication unit 
212, when a memory card is inserted in the BD player 200c, 
performs mutual device authentication with the inserted 
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memory card. Only when the device authentication has 
succeeded^ input/output thereafter will be performed. The 
drive unit 213 reads an encrypted content from the inserted 
BD60^ and outputs the read encrypted content to the second 
5 decryption unit 206. 

As FIG. 9 shows^ the memory card 300c is composed 
of an input/output unit 301c^ an authentication unit 302c^ 
a first decryption unit 202c, a hash unit 203c, a judgment 
unit 204c, and an information storage unit 205c. 

10 Here, the first decryption unit 202c, the hash unit 

203c, the judgment unit 204c, and the information storage 
unit 205c are respectively the same as the counterparts 
of the image playback apparatus 200, namely, the first 
decryption unit 202, the hash unit 203, the judgment unit 

15 204, and the information storage unit 205. In addition, 
the input/output unit 301c performs input/output of 
information between the other components of the memory card 
300c and the BD player 200c. Furthermore, the 

authentication unit 302c, when the memory card 300c is 

20 inserted in an apparatus, performs mutual authentication 
with the apparatus in which the memory card 300c has been 
inserted. Only when the device authentication has 
succeeded, input/output thereafter will be performed. The 
information storage unit 205 has an area for storing a secret 
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key Ks, five encrypted content keys^ a hash value, and a 
content key having been reproduced. 



(Operation of BD playback system 10c) 
5 A BD60 is distributed, which stores therein an 

encrypted content generated by encrypting a content with 
use of a content key. A user acquires this BD60. 

The content key is distributed through a different 
route from a route through which the BD60 is distributed. 
10 Just as the server apparatus 100, the server 

apparatus 100c generates five encrypted content keys and 
a hash value from the content key, and transmits the five 
encrypted content keys and the hash value to the portable 
telephone 400c, via the Internet 20, the portable telephone 
15 network 25, and the wireless base station 26. 

A user inserts the memory card 300c to the portable 
telephone 400c. 

The portable telephone 400c receives the five 
encrypted content keys and the hash value from the server 
20 apparatus 100c, and writes the five encrypted content keys 
and the hash value to the information storage unit 205c, 
via the input/output unit 301c of the memory card 300c. 

The information storage unit 205c of the memory card 
300c temporarily stores the five encrypted content keys 
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and the hash value. The first decryption unit 202c reads^ 
from the information storage unit 205c, encrypted content 
keys and decodes them, and outputs the content keys after 
decryption to the hash unit 203c and to the judgment unit 
5 204c. The judgment unit 204c reads the hash value from 
the information storage unit 205c, and judges whether the 
encrypted content keys have been correctly decoded, with 
reference to the content keys after decryption . If judging 
affirmatively, the judgment unit 204c writes the correctly 

10 decoded content key to the information storage unit 205c. 

The memory card 300c and the BD60 are inserted into 
the BD player 200c by a user. 

The BD player 200c reads the encrypted content from 
the BD60, reads the correctly decoded content key from the 

15 information storage unit 205c of the memory card 300c, 
decodes the read encrypted content using the read content 
key, to generate a content , plays back the generated content , 
and outputs the images and the audios to the monitor 50 
and to the speaker 40, which have been connected to the 

20 BD player 200c. 

(8) In the above-described embodiment, the NTRU 
cryptosystem of 263 dimensions is used, and the bit lengths 
of the secret key and the public key are respectively set 
as 415 bits, and 1841 bits. However, the dimension and 
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the bit length are only one example. 

In addition^ the hash unit 104 and the hash unit 
203 use SHA-1 as a hash function ^^Hash". However^ other 
hash functions may be used instead. 
5 (9) The present invention may be the methods described 

above . In addition, the present invention may be a computer 
program realizing these methods on a computer, and may be 
a digital signal made up of the computer program. 

Furthermore, the present invention may be a 

10 computer-readable recording medium on which the computer 
program or the digital signal is recorded. The examples 
of the computer-readable recording medium include a 
flexible disk, a hard disk, a CD-ROM, a MO, a DVD, a DVD-ROM, 
a DVD-RAM, a BD (Blu-ray disc) , and a semiconductor memory. 

15 Still further, the present invention may be the computer 
program or the digital signal recorded on such a recording 
medium. 

In addition, the present invention may be the computer 
program or the digital signal, which is transmitted via 
20 an electric communication circuit, wireless/wired 
communication circuits, and a network such as the Internet, 
and data broadcast. 

In addition, the present invention may be a computer 
system eguipped with a microprocessor and a memory, where 
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the memory stores therein the computer program^ and the 
microprocessor operates according to the computer program. 

In addition^ the computer program or the digital signal 
may be executed on another and independent computer system^ 
5 by being transmitted either in the form of the recording 
medium, or via the network and the like. 

(10) The present invention may be combination of any 
of the embodiments and the modification examples. 

10 3. Effect of Invention 

As described so far, the present invention is an 
encryption communication system for secret message 
communication, having an encryption transmission apparatus 
and an encryption reception apparatus, where the encryption 

15 transmission apparatus includes : a storage unit that stores 
therein one message; an encryption unit operable to perform 
an encryption computation on the message a plural number 
of times, thereby generating ciphertexts egual in number 
to the number of times of the encryption computation; a 

20 computation unit operable to perform a one-way operation 
on the message, thereby generating a comparison computation 
value; and a transmission unit operable to transmit the 
ciphertexts and the comparison computation value. The 
encryption reception apparatus includes: a reception unit 
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operable to receive the ciphertexts and the comparison 
computation value; a decryption unit operable to perform 
a decryption computation, which corresponds to the 
encryption computation, on each of the ciphertexts , thereby 
5 generating decrypted messages egual in number to the number 
of the ciphertexts; a computation unit operable to perform 
the one-way operation on each of the decrypted messages, 
thereby generating decryption computation values egual in 
number to the number of the decrypted messages ; and a judging 

10 unit operable to compare the decryption computation values 
with the received comparison computation value, and i) if 
at least one of the decryption computation values matches 
the received comparison computation value, output a 
corresponding decrypted message as a correct decrypted text, 

15 and ii) if none of the decryption computation values matches 
the received comparison computation value, output a 
decryption error. 

The present invention is also an encryption 
transmission apparatus for secret message communication, 

20 having: a storage unit that stores therein one message; 
an encryption unit operable to perform an encryption 
computation on the message a plural number of times, thereby 
generating ciphertexts egual in number to the number of 
times of the encryption computation; a computation unit 
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operable to perform a one-way operation on the message^ 
thereby generating a comparison computation value; and 
a transmission unit operable to transmit the ciphertexts 
and the comparison computation value. 
5 The present invention is also an encryption reception 

apparatus for secret message communication, where the 
encryption transmission apparatus stores therein one 
message, performs an encryption computation on the message 
a plural number of times thereby generating ciphertexts 

10 egual in number to the number of the encryption computation, 
performs a one-way operation on the message thereby 
generating a comparison computation value, and transmits 
the ciphertexts and the comparison computation value. The 
encryption reception apparatus having: a reception unit 

15 operable to receive the ciphertexts and the comparison 
computation value; a decryption unit operable to perform 
a decryption computation, which corresponds to the 
encryption computation, on each of the ciphertexts , thereby 
generating decrypted messages egual in number to the number 

20 of the ciphertexts; a computation unit operable to perform 
the one-way operation on each of the decrypted messages, 
thereby generating decryption computation values egual in 
number to the number of the decrypted messages ; and a j udging 
unit operable to compare the decryption computation values 
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with the received comparison computation value^ and i) if 
at least one of the decryption computation values matches 
the received comparison computation value^ output a 
corresponding decrypted message as a correct decrypted text, 
5 and ii) if none of the decryption computation values matches 
the received comparison computation value, output a 
decryption error. 

According to these constructions, the encryption 
transmission apparatus generates a plural number of 

10 ciphertexts from a message, and performs a one-way 
computation on the message to generate a comparison 
computation value. The encryption reception apparatus 
decrypts the ciphertexts thereby generating decrypted 
messages equal in number to the number of the ciphertexts, 

15 and performs the one-way computation on the decrypted 
messages to generate decryption computation values equal 
in number to the number of the decrypted messages. If at 
least one of the decryption computation values matches the 
comparison computation value, the encryption transmission 

20 apparatus outputs the corresponding decryption message, 
and if none of the decryption computation values matches 
the comparison computation value, outputs a decryption 
error. Therefore the above-mentioned constructions 
restrain a probability of error generation at the time of 
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decryption to be low^ and so heighten possibility of avoiding 
attacks that take advantage of re-transmission request. 

Here^ the encryption unit may have: an encryption 
computation subunit operable to perform an invertible data 
conversion on the message thereby generating a converted 
message^ and perform an encryption algorithm on the 
converted message thereby generating a ciphertext; and a 
repetition control subunit operable to control the 
encryption computation subunit to repeat the generation 
of converted message and the generation of ciphertext^ the 
plural number of times. 

In addition^ it is possible to have a structure in 
which the encryption transmission apparatus performs an 
invertible data conversion on the message thereby 
generating a converted message, performs an encryption 
algorithm on the converted message thereby generating a 
ciphertext, and repeats the generation of converted message 
and the generation of ciphertext, the plural number of times , 
and the decryption unit has: a decryption computation 
subunit operable to perform a decryption algorithm, which 
corresponds to the encryption algorithm, on a ciphertext 
thereby generating a decrypted text, and perform an inverse 
conversion of the invertible data conversion on the 
decrypted text thereby generating a decrypted message; and 
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a repetition control subunit operable to control the 
decryption computation subunit to repeat the generation 
of decrypted content and the generation of decrypted message^ 
the plural number of times. 
5 According to these constructions^ the encryption 

transmission apparatus performs an invertible data 
conversion on the message to generate a converted message^ 
and performs an encryption algorithm on the converted 
message to generate a ciphertext. Therefore even when the 

10 ciphertext to be transmitted is intercepted on the 
transmission path and is encrypted^ the original message 
has little chance of being revealed. In addition^ the 
encryption reception apparatus performs, on the ciphertext, 
a decryption algorithm that corresponds to the encryption 

15 algorithm to generate a decrypted text, and performs an 
inverse conversion of the invertible data conversion on 
the decrypted text to generate a decrypted message. 
Therefore generation of a decrypted message corresponding 
to the message is assured. 

2 0 Here , the encryption computation subunit may generate 

a random number of fixed length, and generates the converted 
message by adding the random number to the message. 

In addition, it is possible to have a structure in 
which the encryption transmission apparatus generates a 
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random number of fixed length, and generates the converted 
message by adding the random number to the message, and 
the decryption computation subunit generates the decrypted 
message by removing the random number of fixed length from 
5 the decrypted content. 

According to these constructions, the encryption 
transmission apparatus adds a random number of fixed length 
to the message, thereby generating a converted message. 
Therefore an inverse conversion is easily performed. In 

10 addition, the encryption reception apparatus removes, from 
the generated decrypted text, the random number of fixed 
length to generate a decrypted message. Therefore 
generation of a decrypted message is assured. 

Each of the apparatuses and of the recording media, 

15 which constitutes the present invention, may be used 
managerially, continuously, and repeatedly , in any industry 
related to secret message communication. Furthermore, 
each of the apparatuses and of the recording media, which 
constitutes the present invention, may be produced and sold 

20 in manufacturing industries of electric appliances, 
managerially, continuously, and repeatedly. 
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